Tavis Ormandy of the Gentoo Linux Security Audit Team discovered thatthe checkscores() function in scores.c reads in the data from the/var/games/tetris-bsd.scores file without validation, rendering itvulnerable to buffer overflows and incompatible with the system usedfor managing games on Gentoo Linux. As a result, it cannot be playedsecurely on systems with multiple users. Please note that this isprobably a Gentoo-specific issue.

Impact======

A local user who is a member of group "games" may be able to modify thetetris-bsd.scores file to trigger the execution of arbitrary code withthe privileges of other players.

This GLSA and any updates to it are available for viewing atthe Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200603-26.xml

Concerns?=========

Security is a primary focus of Gentoo Linux and ensuring theconfidentiality and security of our users machines is of utmostimportance to us. Any security concerns should be addressed tosecurity@gentoo.org or alternatively, you may file a bug athttp://bugs.gentoo.org.